Talos Vulnerability Report

TALOS-2018-0736

August 13, 2019

CVE Number

CVE-2019-6809

Summary

An exploitable denial-of-service vulnerability exists in the UMAS read strategy functionality of the Schneider Electric Modicon M580 programmable automation controller, firmware version SV2.70. A specially crafted set of UMAS commands can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.

Tested Versions

Schneider Electric Modicon M580 BMEP582040 SV2.70

Product URLs

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-248: Uncaught Exception

Details

The Modicon M580 is the latest in Schneider Electric's Modicon line of programmable automation controllers. The device contains a Wurldtech Achilles Level 2 certification and global policy controls to quickly enforce various security configurations. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus and a management protocol referred to as "UMAS."

When attempting to read the Modicon M580's programmed strategy, two UMAS commands - INITIALIZEDOWNLOAD and DOWNLOADBLOCK - are used to initialize the operation and request blocks from the device, respectively. During normal operation the amount of data to read from each block is defined via a length field in the INITIALIZE_DOWNLOAD request.

When this field is changed to contain a much smaller value - such as 0x00 or 0x01 - and at least four blocks are requested, the device enters a non-recoverable fault state. In this state, the CPU has entered an error mode where all remote communications have been stopped, process logic stops execution, and the device requires a physical power cycle to regain functionality.

The structure of a INITIALIZE_DOWNLOAD command takes a form similar to this: